Does Your Church Set You Up For Spam Or Viruses?

No Comments

You receive an email from your church (or at least you think it is your church) Just like all things internet, things have a way of lingering or worse yet turning out to be something malicious. Is that what you intended when you sent it out? Probably not. Here are some best practices on how to insure that email recipients have a better chance of evening opening your email and also that you won’t be exposed to unknown viruses or future spam emails.

The rest is here:
Does Your Church Set You Up For Spam Or Viruses?


Google?s DoubleClick as virus carrier

No Comments

As always, exercise caution when following advertisements.

So says PC World in a post saying was infiltrated by hackers using Google’s DoubleClick banner ads as a vehicle.

“Websense caught the malicious coding and published its results, which spurred eWeek to scour its code and remove all phony advertisements,” says the story, going on:

The pest, named Anti-Virus-1, is complicated and smart. The advertisements are for antivirus software, and when a user clicked on them, the ads redirect to a pornography Website through a series of iframes. Then a PDF pops up loaded with evil code, exploiting a weakness currently festering in the Adobe systems; or the file index.php redirects to the rogue ad server. The server places a file named “winratit.exe” into the user’s temporary files folder and stays there without any user interaction.

eWeek may not be the first popular Website to be attacked, the story adds.

Read more from the original source:
Google?s DoubleClick as virus carrier

Share/Save/Bookmark malware victim

No Comments

Auction tools site has was unwittingly involved in a malware attack late last week, says The Register.

The incident came to light public after Google’s malware system warned that was infected, and eBay users, “complained of security problems involving on eBay’s forums around the same time,” says the story, continuing: acknowledged a problem on Saturday, initiating a clean-up operation that restored the site (albeit operating off fewer servers) a few hours later. It took other webservers offline in rotation as a precautionary measure on Monday, in a move that allowed it to pinpoint the problem. Auctiva said the infection originated in China.

The site was finally restored to full health on Tuesday morning but, “Surfers who visited the site between Thursday and Saturday afternoon were potentially exposed to malicious scripts, which attempted to exploit IE vulnerabilities to serve gaming password stealing Trojans onto vulnerable systems, security blogger Dancho Danchev adds,” adds The Register.

See original here: malware victim


Microsoft virus downs French jets

No Comments

French fighter jets were ground bound after military computers were attacked by a Microsoft virus, says Agence France-Presse.

They couldn’t download flight plans because their databases were infected by the virus, which they’d been warned about several months ago.

“At one point French naval staff were also instructed not to even open their computers,” says AFP, going on:

Microsoft had warned that the “Conficker” virus, transmitted through Windows, was attacking computer systems in October last year, but according to reports the French military ignored the warning and failed to install the necessary security measures.

The French newspaper Ouest France said the virus had hit the internal computer network at the French Navy.

Jérome Erulin, French navy spokesman told the paper: “It affected exchanges of information but no information was lost. It was a security problem we had already simulated. We cut the communication links that could have transmitted the virus and 99 per cent of the network is safe.”

The French navy admitted it had to return to telephone, fax and post, says AFP, adding:

“Naval officials said the ‘infection’ was probably due more to negligence than a deliberate attempt to compromise French national security. It said it suspected someone at the navy had used an infected USB key.”

Read the rest here:
Microsoft virus downs French jets


Glavmed responds – re: my Open Letter.

No Comments

Welcome Glavmed affiliates who are linking here directly from the Glavmed site. :)

For a very brief period of time yesterday (Feb. 4th, 2009) the following claims were posted on many pages of the glavmed portal site, and it makes it clear that they are seeing some negative attention as a result of my open letter:

4.Our rivals allege that our drug stores’ products have low quality. This is totally lie and defamation. We can show hundreds of feedbacks, proving high quality of our products. We also have independent test results. They prove that our products are being produced by indinan laboratories and up to claimed quality.

Unfortunately we can foresee the further organized pressure against our partnership programme, because normal business competition can’t be provided by them. We really take care of our partners and our customers.

This message was removed sometime between yesterday and today. It is unclear why, although I would guess that they didn’t want their own affiliates reading my posting. I and other researchers have also noticed that they are now blocking very specific IP addresses from viewing the Glavmed website.

A couple of obvious corrections need to be made right off the bat:

a) The letter was not written to you, Glavmed representatives. It was written to law and drug enforcement agencies, as well as the media who has been researching this.

b) I am absolutely not a “business rival”.

c) I am not the only one who has been researching your organization. My letter is a an account of the known, researched, verifiable facts regarding the scourge of unwanted Canadian Pharmacy websites. If I were trying to defame you, I wouldn’t have nearly as much factual evidence in my letter.

So in response, I’ll counter their bogus response point by point.

1. Glavmed claims on their front page (and I’m of course not altering their horrendous spelling and grammatical mistakes):

GlavMed is a BEST way to convert your pharmacy traffic into real money. Forget about miserable sums you’re getting sending your visitors to PPC pharmacy results.

You’re loosing at least half of YOUR money converting traffic like this. GlavMed offers you a possibility to eliminate any agents and sell most popular pharmacy products directly. It means 30-40% revenue share. features & benefits

Note: sell most popular pharmacy products directly. Which is it? Are they selling them or not?

Whether they sell the drugs themselves or not is ultimately irrelevant. They are part of a long chain that gets illegally-produced FAKE and harmful versions of these products into the hands of unwitting members of the public. There is copious amounts of evidence to support this, and they know it.

Glavmed is an affiliate program. They get their affiliates (aka: spammers) to promote (aka: spam) the websites (hosted via rampant viral PC infections) to sell fake drugs to unwitting victim customers. Who do they send that order data to? They don’t say. But they know who that is, and they know that they are taking these orders without any consultation with any pharmacist. They also do all of this with absolutely ZERO security or encryption, so you can imagine how they’re treating the rest of your personal data.

2. Sure, they state on their website that they don’t allow spamming, but as I mentioned: they removed any of the postings which made it clear that very actve spammers are indeed a part of their program. Nowhere do we find ANY postings within their forum about any actual action taken against spammers. Literally everyone with an email address will know that Canadian Pharmacy is THE most spammed property on the Internet today, and has been for three years and counting. If they don’t allow spammers, why is it still the most commonly found spam in the world today? You can have rules all you like. If you’re not enforcing them: what does it matter?

As an aside, I and many other individuals have been complaining to Glavmed under numerous identities starting in May of 2008. I have personally sent, using numerous of my accounts, at least 25 very detailed complaints regarding spam messages I have received between May 2008 and January 2009. Guess how many responses I’ve gotten? Guess how much “action” I’ve seen on behalf of Glavmed, or anyone else claiming to represent this operation? ZERO! Guess where their abuse-reporting pages are on their site? THEY DON’T HAVE ANY!

This claim is utterly false. They take zero action regarding their KNOWN spamming affiliates, and they never will.

3. If Glavmed has been aware all this time that so-called third parties were ripping off their site designs, functionality and everything else: why haven’t they drastically changed their entire design, branding, etc., or made ANY public statement regarding any of this? Why did they wait until someone like me exposes the whole setup for the obviously fraudulent operation that it is? This is an outright lie.

4. Again I will link to actual evidence (source), on behalf of a reputable company — Ironport — who placed orders from one of these sites, and gave the pills they received to a lab for analysis:

False Drugs Purchased

IronPort researchers followed the trail they uncovered and ordered sample pills from a pharmacy source in India. They then had an independent lab analyze the contents. The pills IronPort ordered contained sugar and some inert filler, Bhandari said.

A second test sampling from another online pharmacy purchase contained high metal content. The substances could be very harmful to unsuspecting consumers, he said.

IronPort-sponsored pharmacological testing revealed that two-thirds of the shipments contained the active ingredient but were not the correct dosage, while the others were placebos. As a result, consumers take a significant risk of ingesting an uncontrolled substance from overseas distributors, according to IronPort.

So in light of this report: I don’t believe a single word Glavmed says, and I don’t think anyone else should either.

Keep in mind: this is only one such report. There are others.

I notice that they completely ignore any mention of concern over the rampant illegal spamming which continues on behalf of Canadian Pharmacy, nor do they even broach the subject that as recently as October 2008 their site templates still contained bogus “sponsorship logos” on behalf of the Better Business Bureau, Verified By Visa, and Pharma Checker, nor do they mention that they were making very public statements that they knew full well that all of these logos were not being used appropriately.

The Spamtrackers wiki entry for Glavmed contains a screenshot of the Glavmed sites page dating from July 2008 which shows the Canadian Pharmacy layout still featuring the bogus sponsor logos. (source.)

In addition: this howler of a claim:

“We can show hundreds of feedbacks, proving high quality of our products. We also have independent test results. They prove that our products are being produced by indinan laboratories and up to claimed quality.”

Their claim that they have all kinds of feedback saying how great they are is meaningless.

Which “indinan laboratories”? Which “independent test results”? On behalf of whom? Published where, exactly?

Of course they will never say.

What about third-party, verified claims and lab tests that your products are genuine? What about third-party reports that your servers actually are secure? If I’m selling you a car and you ask me for verification that the car is in road-ready shape and is safe to drive, I can’t just start typing you a recommendation myself. I would need a third party inspector to verify that my claims that this vehicle was safe were in fact true. Glavmed doesn’t do this, nor have they ever.

“We really take care of our partners and our customers.”

Really? I know for a fact that numerous of your customers would very much beg to differ.

Clearly my letter has hit a nerve. As usual, their response, as with many obvious spam operations, is more concerned with damage to their profits than anything to do with public safety, or the security of your personal data.

Glavmed’s claims are theirs alone, verifiable by nobody, and easily countered point by point as being verifiably false.

I stand behind every word of my posting. This is not defamation. Again: I am only one individual, but my posting links to research performed by literally dozens of others, from a very wide variety of technical, medical, security and other backgrounds.

Use your own judgement: Glavmed, and the entire operation they support, are liars and part of a criminal operation. The proof isn’t just in my open letter. It’s all over the place.

SiL / IKS / concerned citizen

Continued here:
Glavmed responds – re: my Open Letter.


Internet crime on the increase

No Comments

Internet crime has intensified in the past six months with crooks cashing in on economic confusion and anxiety.

Consumers and businesses alike are being targeted, says The Australian, going on:

Thieves are sending out phoney emails and putting up fake Web sites pretending to be banks, mortgage-service providers or even government agencies like the Federal Bureau of Investigation or the Federal Deposit Insurance.

Mobile and Internet-based phone services have also been used to seek out victims.

The object: to drain customer accounts of money or to gain information for identity theft.

More than 800 complaints have been logged by the National White Collar Crime Center in the US, so far this year from checking-account customers in the US about mysterious, unauthorized transactions of $10 to $40 that appear on monthly statements, says the story, and the FBI Internet Crime Complaint Centre, “confirms a increase in cyber-attacks.”

Most attacks to be “scattershot” with spam emails”blasted randomly to thousands of computer users at once,”” says The Australian, continuing:

“Now crooks are starting to single out specific targets identified through prior research, a tactic called “spear phishing.” In these attacks, emails are sent to the offices of wealthy families or to corporate money managers, for example. They address potential victims by name and company or appear to come from an acquaintance.”

Moreover, identity thieves have become, “increasingly sophisticated in recent years,” the story has says Pam Dixon, executive director of the World Privacy Forum, a non-profit public interest research group, saying.

“It used to be you could pick them out by their bad grammar, but now it’s much more difficult,” she says. “You really have to be careful.”

Originally posted here:
Internet crime on the increase


Canadian Pharmacy and Glavmed: An Open Letter To Law Enforcement, The FTC And The FDA

No Comments

To whom it may concern (and ultimately it concerns all of you.)

I write today to petition your attention towards a large-scale international illegal pharmacy operation known as Glavmed.

Glavmed are the sponsor program promoting the very-widely-spammed property known as “Canadian Pharmacy”. (Hereinafter referred to as “CPh”.) If you have an email address of any sort, it is very likely that you’re at least mildly aware of Canadian Pharmacy. It’s the most commonly spammed property on the Internet today, and shows no signs of slowing down whatsoever. CPh has been relentlessly spammed to millions of recipients for the past three years. Here is a screenshot of a currently spammed domain,

Further (although technically speaking this is less of an issue than the risk to public health and safety): these sites’ continued use of the brand name “Viagra” is in violation of the trademark and intellectual property rights of Pfizer, who owns the Viagra name and the patent on its particular medicinal formula. There is no such thing as “generic” Viagra, nor has there ever been. It is not legal to make — or claim to make — Viagra while Pfizer still holds the patent. The same is true of Cialis and Levitra.

Sales of these alleged “generic” pharmaceuticals violates the law in most countries around the world. Sale of these products in their legitimate form without consultation with a physician or a registered pharmacist is also illegal, and violates several sections of the FDA act.

Finally: sale of controlled substances – phentermine definitely qualifies, but again: who knows what’s actually in the pills this “company” is selling to you? – is also against the law when done so without any registered pharmacist or a valid, authorized prescription.

This organization breaks several international laws, but more importantly it poses a very serious threat to the public’s health.

Promotion Via Illegal Spam

The only way that perhaps 70% or more of the world has heard of Canadian Pharmacy is via the unrelenting, large-scale receipt of illegally-sent spam email messages. By “illegally-sent”, I refer specifically to the fact that they (or someone or some group working on their behalf) send these emails using very large scale “botnets” (definition) comprising several thousand of exploited public computers. Over the past three years, no fewer than six (6) IT security organizations have performed research on a variety of these botnets, most notably the Storm botnet, and discovered that one of the primary uses of this botnet was to send spam email messages promoting these CPh websites.

I myself have written on this blog and on numerous spam- and cybercrime-related forums regarding Canadian Pharmacy, and I’ve specifically been researching their operations starting in mid-2006. (previous posting) However I am far from the only individual researching this organization.

Finnish Security Company “F-Secure” posted research tying spam messages promoting spamvertised websites for CPh on November 11th, 2006. (source) In this research they discovered that a PC exploit then known as “Warezov” was capable of sending spam. That spam contained urls for websites promoting what was then known as “Pharmacy Express.” Pharmacy Express turned into Canadian Pharmacy in early 2007. The spam runs promoting these websites would often send tens of millions of messages to addresses around the world. The domain names for the Pharmacy Express sites were virtually identical in naming structure to those used as name servers for other sites which were being used as infection points for the Warezov virus, as well as domains used as name servers for both the warezov infection sites and the CPh websites. More on Warezov and it’s functionality later.

Fast-Flux Hosting Via Hijacked Public Computers (Storm Worm)

Focusing again on the abovementioned domain, we can see that some unique hosting solution is being used for the “” domain by running a “dig” command against that domain:

sign up form features no section where anyone needs to disclose whether they are a medical professional or a pharmacist at all, or whether they are retaining one for the purposes of fulfilling prescriptions for the pharmaceuticals these sites sell.

So how did I discover the link between Glavmed’s affiliate program and Canadian Pharmacy? I joined their affiliate program. I will not disclose the details of my affiliate account other than to say that I have never used it for any promotional purposes on behalf of glavmed or Canadian pharmacy. Once I was approved, I was sent a link to their site templates which made it very clear that this was a very large-scale, highly organized operation, and that they are indeed 100% responsible for Canadian Pharmacy, and therefore responsible for the relentless spamming which occurs on their behalf.

As it turns out, apparently one of their supporters or affiliates posted a very Glavmed-friendly piece on a website known as (source), which alleges to rate the various online pharmacies promoted by Glavmed. They of course make absolutely no mention of the fact that these sites are easily the most prolifically-spammed properties on the Internet today. That entire domain appears to be a very spam-friendly site, and it links to a known base-domain which glavmed sites have been using for payment processing for three years now,

Some interesting additional notes: They have modified several threads in their forums. These threads previously contained postings by several members which made it very clear that not only were Glavmed and their affiliates aware that many of their ranks were involved in large-scale spamming, but that they also knew they were lying about the use of logos such as that of Pharma Checker.

This thread previously had a posting (following posting #4, which is now the final posting in that thread) which stated that there was no valid Pharma Checker account for the Canadian Pharmacy websites. (A valid Pharma Checker is required in order to place a link to any pharmaceutical sites within a Google Adsense campaign, among many others. One affiliate was refused. I feel certain that many others must have been refused as well.) Another thread regarding spamming (source) had several pro-spam postings dating back to late 2007. These were removed sometime between December 2008 and January 2009. That was previously located after posting #3. Clearly someone is removing any expository evidence. (I and many others have archives of this forum however.)

Glavmed / Spamit / Storm / Canadian Pharmacy / RBN

Further, no less an authority than Ironport, a major spam-fighting corporation, made direct connections between Storm worm, Canadian Pharmacy, Glavmed, and their underground affiliate portal (and likely the real smoking gun) known as (source) Ironport also placed several orders to verify what would happen with their bait credit card information, and to see whether they would actually receive anything from the order. They did receive a package containing pills which contained sugar and what was referred to as “inert filler”. Another contained “high metal content”. This is clearly a very high risk to the public’s health.

I and many other researchers and security professionals believe it is time for someone to take decisive action against this operation, which has profited for at least four years now and is only continuing to grow. Research and evidence abounds regarding the connections between Canadian Pharmacy, Glavmed, The Storm Worm and the Russian Business Network. All of these are known by numerous security and law enforcement agencies to be operating in flagrant violation of international law. I and the citizens of my country and those of pretty much every other country are fed up with continual bombardment of these spam messages, promoting websites which lie in every word of their content, which sell fake and harmful products, and which endanger the lives of the general public. We are fed up with the complete lack of action on behalf of anyone in Law Enforcement to go after Glavmed, their affiliates, their site operators, their payment processors, their hosting providers and their domain registrars. The time for action is now, especially with the abundance of available research into this organization and their practices.

Please take this appeal very seriously. I welcome your feedback.

Very sincerely,

SiL / IKS / concerned citizen

Further research into Canadian Pharmacy

Spam Wiki: Canadian Pharmacy

Further research into the Storm Worm

Storm Worm Botnet Cracked Wide Open–/news/112385

Russian Business Network (RBN): Georgia Cyberwarfare – Attribution & Spam Botnets

Full-disclosure: It’s time to get serious about Storm Worm / RBN

Slashdot: We Know Who’s Behind Storm Worm

Excerpt from:
Canadian Pharmacy and Glavmed: An Open Letter To Law Enforcement, The FTC And The FDA


AVG buys Sana Security

No Comments

Popular Czech online protection company AVG Technologies now owns Sana Security, a Californian company which produces identity-theft prevention software.

In a statement, the Sana acquisition will, “complement the antivirus firm’s existing portfolio by ‘delivering continuous threat detection and automatic removal of malicious software proactively’,” it says in a ZDNet UK story, going on

    Describing Sana’s products as ‘zero-day-type protection’, AVG chief executive JR Smith told ZDNet UK on Tuesday that ID-theft protection — added to AVG’s signature-based protection and trusted-site analysis — formed a “third layer that we feel will allow us to help people protect their identities and [their] whole online world.

Sana software, “only uses one percent of the user’s CPU power,” Smith stated, “suggesting that this would help in providing optimum system performance.

“Peter Baxter, Sana’s UK managing director, also told ZDNet UK in the same phone-call that Sana’s technology – which he said was different from rivals’ software by virtue of completely removing malicious code rather than just quarantining it – would remain compatible with antivirus packages other than those made by AVG,” says he post.

See original here:
AVG buys Sana Security


2008: A Significant Year In The Fight Against Illegal Spammers

No Comments

The year of 2008 represented the highest strings of arrests, prosecutions, sentencings and imprisonments of illegal spammers in the history of illegal spamming. 2007 was already a very bad year for spammers. 2008 continued this trend, all of which underscores the fact that people really are fed up with hearing from spammers, and that spammers will go to jail if they continue to spam illegally or engage in identity theft or fraud.

Here is the basic run-down of 2008. Enjoy!


  • We begin the year still revelling in the arrest of Robert Soloway, and the investigation into the computers and properties of Shane Atkinson, known spammer and sponsor representative for SanCash and VPXL. Intensive investigations are ongoing into both of these cases as the year begins.
  • Alan Ralsky, and several of his colleagues (notably one James E. Fite, aka “buba” on, are indicted. The indictment carries 41 counts including Fraud, Wire Fraud and Money Laundering. He faces a sentence of 26 years in jail for the tax evasion charge alone.
  • SpamInMyInbox continues his investigation into what is now known to be SanCash.


  • Several colleagues commence an intensive communications campaign between ICANN and XIN NET (also known as “paycentre”) in the hopes of waking them up to the mass amount of illegal abuse they are supporting by allowing domains to be registered using 100% fictitious contact information, in violation of ICANN accreditation policies. It sounds dry, but this is a huge achilles heel for spammers, and more importantly the sponsors who pay them. Without a large supply of illicitly-registered domains, spammers have nothing to promote, and sponsors lose money. This campaign would turn out to take many weeks and months. Red Dwarf, Alpha Centauri and (most notably) trobbins file literally hundreds of thousands of complaints using Red’s “Complainterator.”


  • Renowned unrepentant criminal spammer Robert Soloway pleaded guilty to charges of felony mail fraud, fraud in connection with electronic mail and failing to file a tax return in 2005.


  • SpamInMyInbox’s investigation into SanCash, GenBucks, Tulip Lab and “VPXL / Express Herbal” continues. Tulip Lab serves him no notice while launching a lawsuit claiming (we think) libel. He later removes several references to Tulip Lab. Meanwhile New Zealand law enforcement firm up their plans to charge Shane and Lance Atkinson for illegal spamming pending their continuing investigation into several computers they seized in December, 2007 following the BBC4 investigation into the same operation.


  • SpamInMyInbox is placed under a temporary injunction thanks to the Tulip Lab complaint. He removes all mention of Tulip Lab from his blog.
  • The criminal charges keep on coming! On May 19th, 2008, US Attorney General Michael B. Mukasey holds a press conference in Bucharest, Romania announcing the indictment of 38 individuals, from numerous countries, all of whom were involved in phishing scams based out of California and Connecticut. This is fairly big news since it involved the cooperation of Romanian law enforcement officials, and communication between several international law enforcement agencies including the FBI.

    Other links to this story: New Haven FBI Press Release, Overview of the Law Enforcement Strategy to Combat International Organized Crime [pdf], US DOJ Indictment, and coverage by GarWarner’s blog.

  • SiL’s Blog (the very one you are reading now, gets listed in The Industry Standard’s Top 25 B-to-Z List Blogs.
  • SiL creates a new entry in the Spam Wiki which outlines in relatively good detail the perceived infrastructure and hierarchy of a typical pharmacy or replica email spam operation. He also firms up quite a bit of evidence regarding each of the known sponsors of illegal spam, including Spamit, and SanCash (also known as AffKing.)
  • Todaynic, long a haven for the registration of literally millions of spamvertised domains per year, suddenly take decisive action and shut down a very large list of domains which have been registered using completely fake contact information, and which are used in spam campaigns for properties such as Canadian Pharmacy, ED Pill Store, Downloadable Software, Prestige Replica, Exquisite Replica, etc. etc. etc. They even go so far as to automate the verification and shutdown process against any domains listed in the uribl list under their registration. This is a huge blow to spammers and their sponsors as it slam a door shut on a previous aider and abetter of illegal spammers.


  • More criminal charges! Robert Matthew Bentley of Panama City is sentenced to three and a half years (41 months) in jail and fined $65,000USD for hijacking hundreds of PC’s for use in a botnet which was used in attacks and popup ad fraud. This is the result of nearly two full years of investigation as part of “Operation Bot Roast II”
  • Paul Laudanski leaves castlecops to become a full time Internet Safety Investigator for Microsoft’s Live Consumer Services.
  • Greg King, renowned for DDOS’ing Castlecops in February 2007, pleads guilty to two felony counts of transmitting code to cause damage to protected computers. He faces a maximum of 20 years in prison and a fine of $500,000USD.
  • XIN NET finally (FINALLY!) takes action on not just a few, not just a few dozen, not just a few hundred, but several tens of thousands of illicitly-registered domains. This has a devastating effect on several spam sponsors, notably Spamit and SanCash. None of the spammers or sponsors dares complain publicy, but the effect is obvious and we notice several mailers suddenly switch 100% from mailing PowerEnlarge, Prestige Replicas, MaxGain+, VPXL and Canadian Pharmacy, to instead spamming long-in-the-tooth pump and dump stock symbols. (CYHD, then AGSM.)
  • Almost overnight, sponsors and domain registration mules switch from XIN NET and Todaynic to otherwise unknown domain registrar “Xiamen Chinasource Internet Service Co., Ltd.” Red Dwarf and trobbins lead the charge to informing them of this shift in the spammer’s (or their sponsor’s) activity and they immediately also begin shutting down and nullrouting several hundreds of new domains per day, all of which feature verifiably fake contact information and are used, of course, in illegal spam campaigns supporting bogus or dangerous products.
  • Research by Ironport correctly identifies the operators of the Storm Worm as the same group responsible for the rampant spamming on behalf of “Canadian Pharmacy”. Most domains used for Canadian Pharmacy are also hosted on fast-flux botnet hosting, further digging the whole for that operation. The Register reports on it, further expanding the audience for this important research.
  • Martin Heller receives a memo from Garth Bruen of KnujOn detailing why XIN NET should be issued a breach notice from ICANN. His timing is a little late, but it further raises the lingering issues with XIN NET in the public eye. Heller also draws a direct relationship between XIN NET and several well-known SanCash spamvertised properties including Wondercum and Diamond Replica.
  • Between June and July, a very large spate of Storm worm spam attempts to convince unwitting Internet users to click on links leading to hijacked websites with the hopes of greatly increasing the number of usable bots in the Storm botnet. Spam messages initially take the form of winsome (if illiterate) love letters with subject lines like “Always with you” or “Always in my heart”. Shortly thereafter, they exploit breaking news of the earthquake that hit China in late June, claiming “Millions dead in China Quake”. Then still later, they take on a variety of totally fake “news headlines” such as “The beginning of World War III”, “Angelina Jolie dies during childbirth” and “USA declares war on Iran.” For whatever reason, recipients appear to click on the links anyway and the Storm worm gains in numbers. [source]
  • SanCash debuts their “Exquisite Footwear” brand of fake designer goods. SiL creates the Exquisite FootWearErator to counteract these spam messages. Later on, in July, spam for this brand diminishes significantly. :) (Coincidence?)


  • The CastleCops Bulk Spam Reporting Wiki Entry is created and swiftly becomes a valuable evidentiary tool for domain registrars, hosting providers and law enforcement. Within a very short time, several domain registrars begin to take notice and investigate the fraudulent registration of thousands of domains used in the spamming of all manner of bogus or illegal sites. The wiki entries are regularly updated by numerous CastleCops staff members.
  • Sentencing begins for Robert Allen Soloway, who is (at the time) expected to get from 14 to 20 years behind bars after pleading guilty to mail fraud, e-mail fraud, and tax evasion.

  • More arrests! On August 13th, the US Dept. of Justice announced the indictment by a federal grand jury of seven residents of Pulaski County, MO. involved in an illegal online pharmacy. Anthony D. Holman is the alleged ringleader of the group, and also designed the templates for the sites his affiliates would use to promote the online pharmacy. The seven individuals allegedly made $3.4 million (USD) of profit via their “PersonalizedRx, LLC” online pharmacy, which sold many controlled pharmaceuticals. Holman and his partner Arcelia Holman were also charged with five counts of money laundering.

  • August 14th, 2008 sees the sentencing of renowned AOL spammer Michael Dolan to seven years in prison on charges of fraud and aggravated identity theft related to repeated harvesting of AOL accounts who he would then send malware to steal account details and other personal information. He also participated in numerous phishing exploits on AOL members. Following his seven year sentence he will face three years of supervised release. Dolan appears to have followed in the footsteps of the likes of Chris “Rizler” Smith, engaging in witness tampering and other extremely illegal practices.
  • August 22nd, 2008: Still more arrests!

    There are some really damning statements in this press release. More exerpts:

    Did I mention that it’s a bad time to be an illegal spammer?

  • More legal activity in Alan Ralsky’s case. On Oct. 15th, Judy Devenow, an accomplice in Alan Ralsky’s stock spamming operation, pleads guilty and agrees to assist law enforcement investigators. At the time she faces from 33 to 41 years in prison related to charges of assisting in Ralsky’s stock manipulation, money laundering and wire fraud operation. Her sentence could be reduced based on how much she assists prosecutors.
  • On October 23rd, a Dutch newspaper releases a story claiming that three hackers from Russia and Ukraine were arrested. [Image of English translation available here.]

    Google translated:

    this story.]

  • On Dec. 10th, the FTC orders a pair of companies related to a series of bogus antivirus products to shut down and freezes their assets. (The companies were known as Innovative Marketing, Inc. and ByteHosting Internet Services, LLC but operated under numerous aliases.) For many months this company and its affiliate program had been duping unsuspecting consumers into believing their computer had become infected with hundreds of viruses, trojans, and other malware, encouraging them to download and install their alleged antivirus product, which went by a variety of names such as “WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus”. Of course installing that software led to no genuine protection against any malware, and the company profited massively from this frauduelent activity. One such operation was dissected in October 2008 by the SecureWorks team. [source.
  • In a related story, on Dec. 10th, Microsoft releases Security Intelligence Report 5, in which they detail a rather large list of infections which the Microsoft security updates had removed over the past several months. Gar Warners blog delves into the data and explains how massive a removal this really is, numbering in the millions of removals of the Zlob infection, among many others. Looks like it’s a bad time to be in the fake antivirus business.
  • Dec. 17th, How Wai John Hui pleads guilty to federal fraud and money laundering charges related directly to the Alan Ralsky case. Hui stands to benefit greatly by cooperating with investigators. Even if Hui significantly cooperates with the ongoing investigation into Ralsky and his “business” dealings, he stands to serve from 32 to 39 months (just over ~2 – 3 years) in federal prison, and must “forfeit $500,000 in illegal earnings.” This, in addition to October’s news of accomplice Judy Devenow cooperating with police, is extremely bad news for Ralsky.
  • On Dec. 19th, SiL’s “winnings tally” surpasses One Billion Dollars US. It has only been 33 days since he started keeping track of the monetary totals he was allegedly “winning” or “inheriting” via fake Nigerian scam letters.
  • On Dec. 22nd, New Zealand court documents are unsealed stating that Lance Atkinson has “admitted his part in a major international spamming operation and will pay a financial penalty of $100,000 plus costs of $7666.” [source] His fine is reduced from the $200,000 maximum due to his cooperation with law enforcement and the fact that when he began SanCash, spamming itself was not illegal in New Zealand. Shane Atkinson and Roland Smits have instead chosen to defend themselves against these charges. No word on a court date at this time, and no word on the still-pending FTC charges.See also this press release, which goes into further detail and specifically mentions Tulip Labs as being directly involved with this illegal operation.
  • In some additional followup, the author of writes a year-end roundup regarding his investigation into SanCash, GenBucks, and Tulip Lab, indicating he is interested in pursuing the charges against him on behalf of Tulip Lab:

    Regarding the case against me in Delhi High Court, India, then currently all of my research is being evaluated by NASSCOM (because of the techincal dept of parts of it) who will report back to Delhi High Court, and the next hearing will be in the end of february 2009, which can be read in the following court document:

    He further states that apparently Tulip Lab is currently “interested” in withdrawing their charges against him. (I just bet they are.) This indicates that there will likely be a lot more interesting stuff in 2009 regarding this case.

  • In some very disappointing news, at midnight on the morning of Dec. 24th, 2008, revered Anti-spam and Anti-cybercrime site, which for several years had been instrumental in collating and organizing criminal evidence related to illegal spamming, cybercrime, malware and phishing, closed up indefinitely. As of this writing it is unknown whether the site will ever reappear. The operators of the site had been struggling to maintain it even under crushing workloads at other jobs. That coupled with further complications ultimately led to its demise. Members of the site had to discover or create other means of connecting to each other, and in its wake several wikis, forums and blogs started up, with more very likely to start up in the new year.
  • From Dec. 4th through Dec. 26th, “trobbins”, a long time collector and mass-reporter of illegally registered domain names, successfully shuts down just over 12,000 domains used in spam campaigns for the usual variety of bogus “products” promoted via illegal spammers and their sponsors. Much of these domains were registered via domain providers located in China (35 Technology, BizCN, Xin Net, etc.) trobbins is by no means the only individual reporting these domains to registrars around the world, but he has a striking ability to convince even previously non-responsive domain registrars to take action on large numbers of illicit domains, registered using 100% fake contact information. Most of these registrars were previously considered bullet-proof by spammers and their sponsoring companies.

Phew! That’s a lot of activity! Way more than occured in 2007. Mostly all of it good news for people who hate spam and the people who profit from it. A very great deal of it completely bad news for most operators within distributed spam operations.

Clearly we’re entering a more mature phase with regards to legislation of illegal activities and how they relate to online means of execution. To see the sheer breadth of international cooperation between disparate law enforcement agencies is a very encouraging sign, and one that points to even more arrests and other legal action against illegal spammers.

I’ll still say it, since it’s always worth repeating:


To do so is to basically give away your personal data to criminals, to risk having your identity stolen, and to risk personal harm to yourself, or even death.

Happy Holidays everyone. Stay safe!

SiL / IKS / concerned citizen

Original post:
2008: A Significant Year In The Fight Against Illegal Spammers


Recession helps computer criminals

No Comments

The world recession may be helping cyber crooks to trick people into opening their homes and bank accounts and becoming “mules” for laundering money or stolen goods, says the Associated Press.

McAfee’s annual “Virtual Criminology Report” says 873 money-mule recruitment Web pages were detected in Britain in the first half of 2008, “a 33 percent increase over the first half of 2007,” says the story, going on:

That data [sic] was compiled by APACS, the United Kingdom’s payment-industry trade group.

More evidence emerged from a recent study by Panda Security, a Spanish software vendor that found that job-related messages hit a record of 0.3 percent of all spam in October, nearly triple the proportion from August. And the success rate in recruiting money mules rose to 1.8 percent in October, from 0.5 percent in August.

The company tracked the figures with another unnamed large security firm which was monitoring active mule networks, says AP, adding:

“Computer attacks in general have sharply increased in the past few months.

“IBM says the number of daily attacks it spotted against Web servers and computer networks increased 30 percent over the past four months, to more than 2.5 billion attempted incursions worldwide.

” ‘Those are very scary numbers,’ said Gunter Ollmann, chief security researcher for IBM’s X-Force security services team’.”

Excerpted from:
Recession helps computer criminals


Older Entries